From dec443e3a5b868a7a580f178a3739ab438e8c0db Mon Sep 17 00:00:00 2001 From: Brian Coca Date: Fri, 22 Jan 2021 14:58:35 -0500 Subject: [PATCH] why no mfa? (#73324) Co-authored-by: Sandra McCann Co-authored-by: Rick Elrod --- docs/docsite/rst/reference_appendices/faq.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/docsite/rst/reference_appendices/faq.rst b/docs/docsite/rst/reference_appendices/faq.rst index 6a847a21547..fce890479f0 100644 --- a/docs/docsite/rst/reference_appendices/faq.rst +++ b/docs/docsite/rst/reference_appendices/faq.rst @@ -739,6 +739,21 @@ fails if the remote filename requires quotes to escape spaces or non-ascii chara .. note:: If you see an ``invalid argument`` error when using ``-T``, then your SCP client is not performing filename validation and will not trigger this error. +.. _mfa_support: + +Does Ansible support multiple factor authentication 2FA/MFA/biometrics/finterprint/usbkey/OTP/... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +No, Ansible is designed to execute multiple tasks against multiple targets, minimizing user interaction. +As with most automation tools, it is not compatible with interactive security systems designed to handle human interaction. +Most of these systems require a secondary prompt per target, which prevents scaling to thousands of targets. They also +tend to have very short expiration periods so it requires frequent reauthorization, also an issue with many hosts and/or +a long set of tasks. + +In such environments we recommend securing around Ansible's execution but still allowing it to use an 'automation user' that does not require such measures. +This is something that Tower/AWX excels at by allowing administrators to set up RBAC access to inventory, along with managing credentials and job execution. + + .. _docs_contributions: How do I submit a change to the documentation?